Let me bring it here just in case someone answers Google and a solution with unsafe libxml_disable_entity_loader(false) not applicable. The following is a potential vulnerability to enable an object loader in the system:
<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]> <scan>&test;</scan>
The issue of thread insecurity is explained here. Although you can register your own object loader with libxml_set_external_entity_loader or use locks to protect calls to libxml_disable_entity_loader , these solutions seem a little perplexing.
The good news is that the problem with external objects only affects file- related functions (e.g. simplexml_load_file , DOMDocument::schemaValidate , etc.). This makes the solution simple and straightforward. First load the contents of the file as a string, and then execute the corresponding libxml string string.
simplexml_load_string(file_get_contents($xml));
and / or
$xml = new DOMDocument('1.0', 'UTF8'); $xml->loadXML(file_get_contents($xmlFile)); $xml->schemaValidateSource(file_get_contents($xsdFile));
Hope this helps someone.